Given this specifically calls out subresources and the design doc lists "the case of navigations" as "followup work," you're explicitly not touching how navigations (top-level or an iframe) work at this stage, correct?
I expect the most significant compat impact to come from Windows apps that delegate to the default browser to do a login flow where the last step of the auth flow is making a request to a localhost HTTP server to pass back to the app an auth ticket. I anticipate most of those are top-level navigations, but my experience with the first version of Microsoft Edge (pre-Chromium) which prevented localhost loopback for subresources (including iframes), there are apps that handle it some other way which we broke. Some of those may have been passing it back via an iframe navigation (I don't recall-it was 6+ years ago) in which case they'll potentially still work after this change. The Microsoft Edge team will work to reach out to Microsoft teams that are potentially impacted. If the roadmap is going to eventually force a preflight before allowing a navigation to a private network origin, we would ideally include clear guidance on what's likely coming there as well. Is there a general timeline you have in mind for expanding this to navigations as well? From: 'Titouan Rigoudy' via blink-dev <blink-dev@chromium.org> Sent: Monday, November 29, 2021 7:37 AM To: blink-dev <blink-dev@chromium.org> Subject: [blink-dev] Intent to Ship: Private Network Access preflight requests for subresources Contact emails tito...@chromium.org<mailto:tito...@chromium.org>, v...@chromium.org<mailto:v...@chromium.org>, cl...@chromium.org<mailto:cl...@chromium.org> Explainer https://github.com/WICG/private-network-access/blob/main/explainer.md<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Fprivate-network-access%2Fblob%2Fmain%2Fexplainer.md&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469545884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2O5hAhhk14yQvQKTVhQJ4IYIrdwuM6w6cOHvkf6CXkI%3D&reserved=0> Specification https://wicg.github.io/private-network-access/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwicg.github.io%2Fprivate-network-access%2F&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469545884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jJlAWDJEN8BL5LbJHVZYwOuYrd6cW1HEl%2FyW74NagB8%3D&reserved=0> Design docs https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI%2Fedit&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469545884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qciJpdsRPa%2FlD61vDfbxProY3%2BU29651d5u6GxvyWfE%3D&reserved=0> Summary Sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. A private network request is any request from a public website to a private IP address or localhost, or from a private website (e.g. intranet) to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat. Blink component Blink>SecurityFeature>CORS>PrivateNetworkAccess<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Flist%3Fq%3Dcomponent%3ABlink%253ESecurityFeature%253ECORS%253EPrivateNetworkAccess&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469545884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BpzABpjfTWfZBd1EXZSnRA5ZxzMBGW205bfxDJbIQeE%3D&reserved=0> TAG review https://github.com/w3ctag/design-reviews/issues/572<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3ctag%2Fdesign-reviews%2Fissues%2F572&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469595876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jXbqAH3Yorpra2PYzN9MlrV0ciU%2B63GcXmixjqlojT4%3D&reserved=0> TAG review status Pending Risks Interoperability and Compatibility The main interoperability risk, as always, is if other browser engines do not implement this. Compat risk is straightforward: web servers that do not handle the new preflight requests will eventually break, once the feature ships. The plan to address this is as follows: 1. Send preflight request, ignore result, always send actual request. Failed preflight requests will result in a warning being shown in devtools. 2. Wait for 3 milestones. 3. Gate actual request on preflight request success, with deprecation trial for developers to buy some more time. 4. End deprecation trial 4 milestones later. UseCounters: https://chromestatus.com/metrics/feature/timeline/popularity/3753<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromestatus.com%2Fmetrics%2Ffeature%2Ftimeline%2Fpopularity%2F3753&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469595876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4kny0InSg7HlGy0Bd2lrVK9XRqK3cW3niX%2FeEOcwP5o%3D&reserved=0> https://chromestatus.com/metrics/feature/timeline/popularity/3755<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromestatus.com%2Fmetrics%2Ffeature%2Ftimeline%2Fpopularity%2F3755&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469595876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Z0n76iP4euzqgKvvHVgS1oe0YQ%2FE8yIfjS5UYofWtUs%3D&reserved=0> https://chromestatus.com/metrics/feature/timeline/popularity/3757<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromestatus.com%2Fmetrics%2Ffeature%2Ftimeline%2Fpopularity%2F3757&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469595876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=a0b0nuZpDucjYw0L75zG7WarXGifUU%2F3BMuyYIkE6Xs%3D&reserved=0> The above measure pages that make at least one private network request for which we would now send a preflight request. Gecko: Worth prototyping (https://github.com/mozilla/standards-positions/issues/143<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmozilla%2Fstandards-positions%2Fissues%2F143&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469595876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Pw0IcGEOTCSpCpHS5dmoMmr20hYCzlJtjEZIiRTtDr8%3D&reserved=0>) WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-November/032040.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.webkit.org%2Fpipermail%2Fwebkit-dev%2F2021-November%2F032040.html&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469645885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FzF7ajSmo9mb6EHYGcWIcEMar%2F2He6aQmkn6NTFEkjY%3D&reserved=0>) Pending response. Web developers: No signals Anecdotal evidence so far suggests that most web developers are OK with this new requirement, though some do not control the target endpoints and would be negatively impacted. Other signals: Ergonomics None. Activation Gating access to the private network overnight on preflight requests would likely result in widespread breakage. This is why the plan is to first send requests but not act on their result, giving server developers time to implement code handling these requests. Deprecation warnings will be surfaced in DevTools to alert web/client developers when the potential for breakage later on is detected. Enforcement will be turned on later (aiming for 3 milestones), along with a deprecation trial for impacted web developers to buy themselves some more time. Experience suggests a large fraction of developers will not notice the advance deprecation warnings until things break. Security This change aims to be security-positive, preventing CSRF attacks against soft and juicy targets such as router admin interfaces. DNS rebinding threats were of particular concern during the design of this feature: https://docs.google.com/document/d/1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI/edit#heading=h.189j5gnadts9<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1FYPIeP90MQ_pQ6UAo0mCB3g2Z_AynfPWHbDnHIST6VI%2Fedit%23heading%3Dh.189j5gnadts9&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469645885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=z9BSaPSAMNIY82H21ZQUY0HSq8OfHhQhF%2BtmTHZWlIE%3D&reserved=0> Debuggability Relevant information (client and resource IP address space) is already piped into the DevTools network panel. Deprecation warnings and errors will be surfaced in the DevTools issues panel explaining the problem when it arises. Is this feature fully tested by web-platform-tests<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromium.googlesource.com%2Fchromium%2Fsrc%2F%2B%2Fmaster%2Fdocs%2Ftesting%2Fweb_platform_tests.md&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469645885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Zg263Rtv7aA9HqmCYQffLwsZsr2KPR2%2Bw0XTZ4LJ70k%3D&reserved=0>? Yes DevTrial instructions https://github.com/WICG/private-network-access/blob/main/HOWTO.md<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Fprivate-network-access%2Fblob%2Fmain%2FHOWTO.md&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469645885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=m74fa8bhe5yZbht8Nv6MDGhocnPCwXs3HudQrll3Qds%3D&reserved=0> Flag name PrivateNetworkAccessRespectPreflightResults Requires code in //chrome? False Tracking bug https://crbug.com/591068<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrbug.com%2F591068&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469645885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qYWCnSQm8bSFOtrfCBoCa9VpnGiZrYFUYKli0Dj7n54%3D&reserved=0> Launch bug https://crbug.com/1274149<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrbug.com%2F1274149&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469695872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QE6elUu1aGLGG1g5v5WfMMrvTym1g%2FvvcVKgF7%2BjWps%3D&reserved=0> Estimated milestones DevTrial on desktop 98 DevTrial on android 98 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5737414355058688<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromestatus.com%2Ffeature%2F5737414355058688&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469695872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tMVsoY3tzjDyiMRGtXCEyEXexuoD8C9NGJksi9M8M4o%3D&reserved=0> Links to previous Intent discussions Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fchromium.org%2Fg%2Fblink-dev%2Fc%2FPrB0xnNxaHs%2Fm%2FjeoxvNjXCAAJ&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469695872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nHjAv5x%2Fxby8ewwlGT14uYly1f5ER8ymv9z3PsxYuVc%3D&reserved=0> This intent message was generated by Chrome Platform Status<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.chromestatus.com%2F&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469695872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bmwaT3UY8kBBgnzDOq8FRIbShGwTiod5LD09iXY48jQ%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org<mailto:blink-dev+unsubscr...@chromium.org>. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9fdAK%2BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%2Bj_BHtW-FXg%40mail.gmail.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fchromium.org%2Fd%2Fmsgid%2Fblink-dev%2FCAPATO9fdAK%252BnrTfUzug8ub_DhV_LE0b7XrgZ7j5%252Bj_BHtW-FXg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cerik.anderson%40microsoft.com%7Cd326417d74594f3438d708d9b34e230f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637737970469695872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=q%2BT5FgKhsJvINET6z8Vr9dcDx5TRgQcUFLz7esn2qSs%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SN6PR00MB0431DC5084F17105E4208E86F4679%40SN6PR00MB0431.namprd00.prod.outlook.com.
